asw145

Application Security Weekly Episode #145 – March 29, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. OWASP Top 10 of 2021 – 12:30 PM-01:00 PM

Announcements

  • Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!

  • If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!

Description

The OWASP Top 10 2021 is in development. A public survey has just been released. We have finished collecting data. I would like to discuss what the plans are for the OWASP Top 10 2021, and when it will be released, and how you can get involved.

https://owasp.org/www-project-top-ten/

https://github.com/OWASP/Top10

Guest(s)

Andrew van der Stock

Andrew van der Stock – Executive Director at OWASP Foundation

@vanderaj

Andrew is a seasoned web application security specialist and enterprise security architect. He is the Executive Director at OWASP, taking the Foundation through organizational change and taking our mission to the next level. Andrew has worked in the IT industry for over 25 years. Andrew has researched and developed the web application security and architecture fields since 1998. He is a Lifetime member of OWASP, former Director, and co-leads the OWASP Application Security Verification Standard and OWASP Top 10 projects. An Australian ex-pat of Melbourne and Sydney, he currently lives in the USA with his family.

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Chief Architect at Accurics

MikeShema

Mike Shema

@Codexatron

Product Security Lead at Square

2. TikTok Analysis, Patching Patches, CI/CD Integrity, Faster Fuzzing, & Slack Safety – 01:00 PM-01:30 PM

Announcements

  • Do you want to stay in the loop on all things Security Weekly? Visit https://securityweekly.com/subscribe to subscribe on your favorite podcast catcher or our Youtube channel, sign up for our mailing list, join our Discord Server, and follow us on our newest live-streaming platform, Twitch!

  • Our next live webcast will be on April 29th at 11am ET where you will learn how to prepare for modern ransomware attacks! Visit https://securityweekly.com/webcasts to register now! If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Description

Security and privacy technical analysis of TikTok, subtle parsing problems, chain of trust through a CI/CD pipeline, faster fuzzing even without source code, interplay of application security and application safety!

Hosts

JohnKinsella

John Kinsella

@johnlkinsella

Chief Architect at Accurics

  1. Netmask npm library incorrectly parses octal IPs – It turns out web browsers and such will parse an IP address with a leading 0 as octal. The netmask library doesn’t, which could lead to SSRF and other interesting attacks
  2. Finding undocumented x86 instructions on modern processors – Back in The Day, one could iterate through instruction codes, looking for undocumented cpu instructions. Nowadays that’s a painful process that can cause crashes, lockups, etc. Here’s a way to leverage speculative execution to make the search easier
MikeShema

Mike Shema

@Codexatron

Product Security Lead at Square

  1. TikTok vs Douyin — A Security and Privacy Analysis – A technical analysis of two social media apps that uses reverse engineering and traffic analysis to gather information on how well the apps handle privacy and security, as well as potential abuse for censorship. It’s aimed at providing technical information to inform policy decisions. It also serves as a great template for analyzing and documenting privacy and security aspects of a mobile app, with methodologies that any appsec team could benefit from.
  2. SolarWinds Experimenting With New Software Build System in Wake of Breach – SolarWinds serves as a good thought exercise for establishing a chain of trust throughout a CI/CD pipeline. We’ve mentioned reproducible builds and and signing deployed artifacts. The pressing security question is how do you gain confidence that the code your developers wrote was ultimately what produced the artifact you built? This raises more questions throughout the pipeline in terms of identity, access controls, and observability of every step that has the potential to influence how code is built and packaged.
  3. SaltStack: further injection vulnerabilities – We sometimes see security patches that need patches — situations where the original patch addressed a symptom, but missed an underlying design flaw or didn’t go deep enough into understanding the original issue. While this particular vuln may not be that impactful, it shows how developers can still make subtle mistakes in the ubiquitous feature of parsing command-line arguments.
  4. Un-bee-lievable Performance: Fast Coverage-guided Fuzzing with Honeybee and Intel Processor Trace – An insight into the engineering that went into turning Intel Processor Trace from performance penalty to advantageous assistant for coverage-guided fuzzing. It’s a benefit that makes a lack of source code less of a liability when fuzzing for flaws.
  5. Organizations rush to restrict new Slack Connect feature fearing security threats – Securing software against injection flaws and the types of vulns that show up in top 10 lists doesn’t mean the software is secure for users. This is a good lesson in expanding threat models to how well your software secures the user experience, especially in apps designed for social interaction.
  6. Secure containerized environments with updated threat matrix for Kubernetes – How do we communicate that “security is better” or convey the value that security can deliver? This is a brief article that focuses on a handful of k8s changes, from better defaults to new types of attack vectors. Yet it’s grounded against a useful framework, MITRE ATT&CK, and only needs to make simple points to demonstrate where security teams might invest their efforts.
  7. Analyzing attacks taking advantage of the Exchange Server vulnerabilities – In the time you’ve (hopefully!) saved by not running Exchange servers and hence having to go through the patch scramble, you could be running a “premortem” or tabletop exercise on how resilient your app environment might be to the types of post-exploitation activities documented in the Exchange server attacks. How well does your environment detect, prevent, or respond to arbitrary file writes, privilege escalation, arbitrary command execution, and data exfiltration?